In systems where samples are sent for analysis to an analysis provider who then returns the results to the sample provider, privacy and security can be important considerations. For example, in analysis of biological samples such as genetic material provided by an individual, ensuring that results remain confidential, and that the individual's privacy is protected, may be especially important. Consider, for instance, sample analysis to determine aspects of an individual's genetic make-up. The following description will focus on this type of application as providing a particularly poignant example of a situation where privacy and security are critical. It should be understood, however, that the techniques to be described may also be applied in other privacy-sensitive sample analysis scenarios.
Genetic analysis may be performed for various purposes in medical environments, and may also be offered as a service to consumers who wish to obtain information about their genetic make-up, e.g. information about their genotype and phenotype. Currently, multiple companies offer gene analysis to end users as a service. A typical mode of operation is that the user pays in advance and obtains a salivary test kit. For example, the user may register with a web-site of the analysis provider and pay on-line, giving a mailing address for the test kit. The user then sends a salivary sample to the analysis provider. Following analysis of the sample, the results are communicated to the user. For example, the user might be given access to the results via the service provider's web site in response to input of a pre-arranged password.
Advances in genome sequencing technology mean that genetic analysis is expected to become more efficient and cost effective. The extent of the genetic data that can reasonably be provided via such services is likely to expand accordingly. For the cost of obtaining only a few genome indicators (e.g. a few health markers) using current technology, it is feasible that developing technologies will offer much more extensive genome analysis, and even a full genome sequence. This is clearly very sensitive private data, and proper handling of this data is of the utmost importance. Genetic analysis services may be subject to government regulations on privacy protection, such as the Privacy Act of 2005 and the Genetic Information Nondiscrimination Act of 2008 in the United States, as well as customer demands for proper handling of their private data. Ensuring confidentiality of the analysis results is critical, so that results cannot be accessed by unauthorized parties. The linking of genetic data to an actual identity of a user, e.g. a mailing address or e-mail address, is also highly controversial as the possibility of misuse of such personal information has serious implications. These issues are relevant to analysis service providers and also analysis facilities used by service providers
The risk of privacy and security violations is aggravated by the basic procedures involved in the overall analysis process. In the case of Internet-based, commercial analysis operations for instance, a user first needs to obtain a sampling kit. This is usually ordered to the user's postal address, and requires payment which is usually by credit card or bank transfer. The final results are usually obtained by on-line review of a named user account. These information flows and procedures introduce a linking of a user's true identity to the analysis results and impose severe privacy and security risks. For example, the risk of unauthorised access to the user's results is highly dependent on the security imposed on user accounts by the service provider, and there is always a risk of malicious intervention to circumvent such procedures, allowing access to results without user consent. Similar considerations also apply to analyses for medical organizations where a patient's genetic data, for example, is requested by a medical practitioner from an analysis service provider. The process usually requires some identification of the user, usually linked to an insurance or payer organization, and the risk of unauthorized access to the analysis results is again severe. For genetic analysis in particular, the implications of availability of genetic data are deeply significant, and the need for effective privacy protection is extreme. The topic of strong privacy and genetic analysis has been addressed to some extent in “Privacy-Preserving Genomic Computation Through Program Specialization”, Reiter et al., ACM Conference on Computer and Communications Security 2009, 338-347. In general, however, current proposals for privacy protection in analysis processes only leverage normal post exchanges, passwords, and perhaps electronic signatures for normal authentication of message senders.